Agencies eager to step up cybersecurity training

If knowing what you don’t know is a form of knowledge, government employees appear to be getting smarter all the time.

As the cybersecurity environment becomes increasingly complex, government information technology workers say that their agencies need more staff with cybersecurity expertise and that at least some of that staff needs access to more specialized training.

All told, 40 percent of respondents said that the IT team at their agencies is understaffed to combat perceived cybersecurity threats, while another 37 percent said their staffs were barely adequately sized, according to a recent survey by the 1105 Government Information Group. Only 22 percent said their IT staffs were ideally sized. (See chart.)

Figure 1

And nearly one-third of respondents said their agencies’ IT employees were not really trained to combat cyber assaults, with 50 percent saying they were adequately trained. Only 18 percent said their IT employees possessed expert knowledge.

Looking at departmentwide initiatives, agencies are doing fairly well when it comes to basic security awareness training. What is missing, though, is security geared toward further developing the skillsets of employees with specific interests in cybersecurity.

Nearly 60 percent of respondents said they were not satisfied with the budget for role-based training available at their agencies, with another 31 percent saying they were somewhat satisfied and only 10 percent very satisfied. The numbers were nearly identical when it came to professional development and education. (See chart.)

Figure 2

The Obama administration is aware of these concerns. The Federal Chief Information Officers Council teamed with the National Initiative for Cybersecurity Education to assess the state of the federal IT workforce in the area of cybersecurity.

7 best practices in workforce planning

In a February report on the federal government’s cybersecurity strategy, the Government Accountability Office identified seven leading practices that agency workforce planning should address:

Link workforce plans to the agency’s strategic plan.
Identify the type and number of employees needed for an agency to achieve its mission and goals.
Define the roles, responsibilities, skills and competencies for key positions.
Develop strategies to address recruiting needs and barriers to filling cybersecurity positions.
Ensure that compensation incentives and flexibilities are effectively used to recruit and retain employees for key positions.
Establish a training and development program that supports the competencies the agency needs to accomplish its mission.

Their study, released in March, identified three areas in which more training was needed: information assurance, vulnerability assessment and knowledge management. Information assurance is in highest demand at the GS-4 level and below, the study found.

Another factor to consider is contract employees. In June, the inspector general of the Homeland Security Department criticized the department’s Office of Cybersecurity and Communications (CS&C) for not developing an effective process to ensure that contractors working on the CyberScope program receive the training they need to do their jobs.

“CS&C cannot guarantee the security of the data collected through CyberScope without ensuring that all people involved understand their roles and responsibilities and are adequately trained to perform them,” the IG report states.

On the other hand, DHS is one of the federal government’s bright spots when it comes to role-based training. In fiscal 2012, the department began developing a Microsoft SharePoint-based program to enable its different components to share training content and opportunities, according to a separate report by the DHS IG. In this process, DHS officials have identified more than 100 unique “significant security roles” across the department, the IG reports.

Beyond meeting specific training needs, the Obama administration would like to work with experts across government and industry to develop a more methodical approach toward building a cyber workforce, according to the fiscal 2012 report to Congress on the implementation of the Federal Information Security Management Act of 2002.

To make that happen, however, cybersecurity leaders must come to terms on a basic cybersecurity vocabulary.

“In the past, there has been little consistency in how the cybersecurity workforce and cybersecurity work is defined or described throughout the nation,” the report states. “The absence of a common language to discuss and understand the work and skill requirements of cybersecurity professionals has hindered our nation’s ability to baseline capabilities, identify skill gaps, develop cybersecurity talent in the current workforce and prepare the pipeline of future talent.”

Source: GAO

Methodology and survey demographics

Between May 28 and June 6, 2013, 186 subscribers of FCW, GCN and other 1105 Government Information Group publications responded to an e-mail survey about cybersecurity trends in government agencies. Survey respondents were comprised of those with insight into their agencies selection of cybersecurity strategies. Beacon Technology Partners developed the methodology, fielded the survey and compiled the results.

Approximately three out of four respondents were technology decision-makers (CIOs or other IT managers or professionals), while 24 percent were senior managers, program managers or other business decision-makers. Approximately 67 percent came from the federal government (33 percent civilian, 34 percent defense) and 33 percent from state or local government agencies.

About this Report

This report was commissioned by the Content Solutions unit, an independent editorial arm of 1105 Government Information Group. Specific topics are chosen in response to interest from the vendor community; however, sponsors are not guaranteed content contribution or review of content before publication. For more information about 1105 Government Information Group Content Solutions, please email us at GIGCustomMedia@1105govinfo.com